Liam Tung

In sport, sometimes the best defence is a good offence, but since hacking is considered illegal, organisations under a cyber attack only have defensive options. Or do they? A legal expert says retaliatory hacking might not be illegal in Australia.

The general rule for penetration testers, or hackers who make a crust breaking into others' computers, is don't hack unless you've got consent.

"We can hack when we have permission to do it," says Rob McAdam, chief executive of penetration-testing firm PureHacking.

McAdam says he's been asked twice over 11 years to "hack back". "They were international sources that asked us to help with domestic circumstances, but both times we refused."

Advertisement

"White hat" hacking services that McAdam and others provide help customers mitigate vulnerabilities, such as un-patched software, that "blackhat" or bad hackers could exploit.

"Hack back" on the other hand moves the battle beyond the victim's network to the attacker's turf. The thinking goes that a company could eliminate a competitive technology that was born out of its stolen IP.

Matt Keil, senior research analyst with Palo Alto Networks, previoulsy told IT Pro he did not recommend it.

"I don't think companies should venture down that path. At a government level, this type of probing and poking as been going on for many years. I wouldn't condone attacking other organisations at government or company level," Keil says.

Questions over the legality of cyber retaliation linger for lawmakers in Australia and the US. Supporters say it's a necessary evolution in the fight against malicious hackers who only need to find the weakest point to gain entry. One employee who opens a malware-laden phishing email could be enough.

Earlier this year, a US private commission on intellectual property argued that laws and law-enforcement couldn't keep pace with nimble hackers, and petitioned for legal reform that would permit acts of self-defence if law enforcement support was limited.

Alongside calls in the US for more freedom to hack back, a new breed of security company has emerged promising "active defence". FireEye is one example, but the best-known is CrowdStrike, which promises to identify hackers, reveal their intent and disrupt their intrusion.

"It's less about trying to keep them out and more about being able to hunt them down and limit the damage that they're able to do," CrowdStrike CEO George Kutz told IT Pro recently. "You want to make it really costly for them to get in and you want to be able to identify them very quickly and eradicate them from the network."

While the company has mocked "passive defence", it's also been careful to avoid claiming it actually offers hack back services due to the tough stance the US takes on hacking.

"There isn't much 'hack back' going on in the real world these days," says H.D. Moore, chief researcher at US penetration testing firm Rapid7 and founder of Metasploit, a popular attack toolkit both blackhat and whitehat hackers use for remote intrusion, either to improve or break defences.

"Hack back is illegal as hell in the US, and even if you're military or intelligence, it's illegal until you get approval directly from the executive branch," he adds.

In Europe things are a little looser. "Their perspective is that no one's going to go after them if they're hacking bad guys, so they just sit around and hack Syria all day or Iran" Moore says.

Unlike the US, Australian organisations may have an option to fight back, according to Dr Alana Maurushat, a senior lecturer at the UNSW's Law Faculty, who has contributed to cyber elements of Australia's Model Criminal Code (MCC).

"Depending how it is done, it may not be illegal," Dr. Maurushat tells IT Pro, pointing to a 2001 MCC Officers Committee report, which considered "computerised counter attack against cybernet intruders" could be construed as self-defence.

According to Dr Maurushat's research, hack back is fairly common in Australia. She cites an anonymous survey at the 2009 AusCERT security conference where 20 per cent of the audience said they had used hack back. And since it's already happening, she's advocating legislation that permits it if it meets several conditions such as "sufficient attribution of the source of an attack" and "reasonable, proportionate and necessary" measures that also avoid damage to unintended third-parties.

Those are tricky to meet though. A report last week claimed 32 per cent of targeted attacks in the second quarter of 2013 involved a command and control server located in Australia. Chances are that many of these were actually compromised servers, not willing attackers.

Marcus Carey, a former NSA cryptography expert at the NSA explained the issue to IT Pro.

"When I was at NSA I had a co-worker try to hack back and he was actually hacking an American Oil company that had been compromised."

His rule: don't hack targets outside your network. But he adds: "You should be tracking all enemy activity such as keystrokes and all other traffic. This is where honeypots come into play."

Honeypots are decoy simulated environments designed to lure attackers. Researchers can use to them to study attackers' means and methods, but they do have limits.

"Fully automated simulations of a real network costs a lot and can be rather quickly discovered and blacklisted by the attackers. That is why they are not widely used," Vitaly Kamluk, chief malware analyst at Kaspersky' Lab Russian Global Research & Analysis Team says.

Nonetheless, Carey and McAdam have released honeypot-inspired "active defence" tools that help alert customers to when their information is stolen. Carey's HoneyDocs rigs decoy documents with a 'call back' feature that tells owners when the document has been accessed. McAdam's crawls the web for stolen data.

Another Australian company, Threat Intelligence, has launched a new online product that tracks hackers around the world and sends mobile and email alerts to users of its Threat Analytics about attacks against their websites before they begin. It includes hacker profiles and the types of attacks they usually perform.

"We are experiencing a shift in the global threat environment. To prevent falling behind and falling victim to a security breach, organisations need to mature their thinking beyond traditional security controls and into the era of threat management," says Ty Miller, Threat Intelligence founder and CEO.

McAdams says clients are better informed.

"Where we do find a piece of information, we hand to the client [who] hands it over to the police and they go do their job. That's a completely appropriate way to do 'hack back'," says McAdams.

But if you've collected attack data and don't get joy from the cops?

"Your best recourse is to dump it publicly," says Moore. "Just publish it all and say hey guys, we're seeing attacks from this company in China, or Malaysia, or wherever it's going to be, and document it and back it all up. The press is probably the best thing you can do at that point."

5 comments

It's still vigilanteism. How do you know you are actually targetting the real hackers and not some other decoy or honeypot. Often, you might be getting attacks relayed from another victim. Would any company be prepared to face the legal consequences of that?

Commenter

Knee Jerk

Location

Sydney

Date and time

September 27, 2013, 3:35PM

Unlike self defence during an act of physical violence against a person, retaliatory hacking can not have the same level of certainty as to who the perpetrator is, so the innocent would likely be taken. And as retaliatory hacking may be "clearly illegal" in the jurisdiction where the victim resides, so it will always be a bad idea....

But as soon as such retaliatory hacking is considered legal down under, rather than possibly "not illegal", expect to see lots of Sony rootkit fiasco's happening with all our purchased physical media... damaging our computers...

Retaliatory hacking is immoral and should be thus be clearly illegal also. Anything less and we will all suffer injustices at the hands of vigilante multinationals... We also do not need or want legal feature creep to allow such idiotic notions to allow media companies any more intrusions into our private lives...

Commenter

Anon

Date and time

September 28, 2013, 12:23PM

All is fair in love and hacking.

Commenter

Real DC

Location

Melbourne

Date and time

September 28, 2013, 3:12PM

What is badly needed is the option to legally hack defamation and cyber bullying sites without recourse to expensive litigation in the Supreme court. Servers need to be made accountable for what they publish wherever in the world.

Commenter

philosopher

Date and time

September 29, 2013, 11:32AM

Who are the 'Servers' and how do they 'publish'? We simply can't equate blogs, forums, social media and other Web 2.0 phenomena to traditional publishing houses and press and leave it at that. There is a question of practicality that comes into it. It is virtually impossible to control what goes out without stifling the creativity and freedom of users. I think at this point, a balance of sorts that is working at times. Providers must have a policy for content and a system for removing content as they are reported. Should they fail in this, then that would be a standard for negligence. Ultimately, it is the person or persons who post the content online who should be liable.

Subscribe to IT Pro

Follow Us

Editor's Choice

Prime Minister Tony Abbott has bolstered Malcolm Turnbull's ministerial duties, handing him greater responsibility for e-government in a push to expand the use of a single digital identity for Australians.

Data

The new roof that spans Margaret Court arena does more than keep out the weather. Built into the gantries that surround the sliding ceiling are Wi-Fi antennas that beam web access to every ticket holder.